±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 34731
New Yesterday: 2 Visitors: 235

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

mft2csv - NTFS systemfile extracter and $MFT decoder

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Go to page Previous  1, 2, 3, 4, 5, 6, 7, 8, 9, 10  Next 
  

Re: mft2csv - NTFS systemfile extracter and $MFT decoder

Post Posted: Mon Feb 06, 2012 9:24 am

Oops, I was staring at page one and had no idea 2 more pages followed the dicussion Smile

Quickly scanned the content and I now see mention of fixup for INDX blocks as well ?

Do I have to correct these blocks as well before processing them ?  

CyberGonzo
Senior Member
 
 
  

Re: mft2csv - NTFS systemfile extracter and $MFT decoder

Post Posted: Mon Feb 06, 2012 8:35 pm

@CyberGonzo
No need for worrying about INDX for $MFT parsing, I belive. It was just mentioned to show how the fixup arrays are built up and relates to the $Logfile.
_________________
Joakim Schicht

github.com/jschicht 

joakims
Senior Member
 
 
  

Re: mft2csv - NTFS systemfile extracter and $MFT decoder

Post Posted: Tue Feb 07, 2012 6:05 pm

@Joakim

No, Ddan was right.
I now 'fixup' INDX structures too and it has 'fixed' a few issues, such as incomprehensibly corrupted filenames etc.

PS. I'm not getting emails anymore when sombody posts in these threads. Is this just me or is there a site malfunction ?  

CyberGonzo
Senior Member
 
 
  

Re: mft2csv - NTFS systemfile extracter and $MFT decoder

Post Posted: Tue Feb 07, 2012 10:52 pm

@CyberGonzo

Sorry for not replying sooner.

As far as I am aware fixup is used in mft records, indx records and logfile records. Whichever set you are processing, fixup needs to be done on that set. As you have noted, not doing fixup can cause all sorts of bizarre issues.

With the count of fixup words, since fixup is done on a sector by sector basis, you need one word for each sector in the record plus one control word.

Ddan  

Ddan
Member
 
 
  

Re: mft2csv - NTFS systemfile extracter and $MFT decoder

Post Posted: Tue Feb 07, 2012 10:55 pm

@CyberGonzo

Sorry for not replying sooner.

As far as I am aware fixup is used in mft records, indx records and logfile records. Whichever set you are processing, fixup needs to be done on that set. As you have noted, not doing fixup can cause all sorts of bizarre issues.

With the count of fixup words, since fixup is done on a sector by sector basis, you need one word for each sector in the record plus one control word.

Ddan  

Ddan
Member
 
 
  

Re: mft2csv - NTFS systemfile extracter and $MFT decoder

Post Posted: Wed Feb 08, 2012 8:07 am

Thanks Ddan  

CyberGonzo
Senior Member
 
 
  

Re: mft2csv - NTFS systemfile extracter and $MFT decoder

Post Posted: Sat Feb 11, 2012 6:35 pm

Anyone knows what the 4 byte signature is for, that is found right after the record end marker (0xFFFFFFFF)?
_________________
Joakim Schicht

github.com/jschicht 

joakims
Senior Member
 
 

Page 5 of 10
Go to page Previous  1, 2, 3, 4, 5, 6, 7, 8, 9, 10  Next